Linuxeden开源社区
Node.js 8.11.3 和 10.4.1 发布了,更新内容如下:
8.11.3
Notable Changes
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
Commits
- [
e1ff7c3cbc] – deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#125 - [
c5a2748d8f] – doc: buffer.fill() can zero-fill on invalid input (Сковорода Никита Андреевич) nodejs-private/node-private#119 - [
354f2d97ff] – http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#123 - [
25c5111ca4] – src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#119 - [
10c5adf19b] – test: addRealloc()shrink after reading stream data test (Anna Henningsen) nodejs-private/node-private#132 - [
bc91220ca2] – test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#131 - [
acd11b01c4] – test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#125
下载地址:
10.4.1
Notable Changes
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
- n-api: Prevent use-after-free in napi_delete_async_work
Commits
- [
1bbfe9a72b] – build: fix configure script for double-digits (Misty De Meo) #21183 - [
4c90ee8fc6] – deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#117 - [
e5c2f575b1] – deps: patch V8 to 6.7.288.45 (Michaël Zasso) #21192 - [
03ded94ffe] – deps: patch V8 to 6.7.288.44 (Michaël Zasso) #21146 - [
4de7e0c96c] – deps,npm: float node-gyp patch on npm (Rich Trott) #21239 - [
92d7b6c9a0] – fs: fix promises reads with pos > 4GB (cjihrig) #21148 - [
8681402228] – http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#115 - [
53f8563353] – n-api: back up env before async work finalize (Gabriel Schulhof) #21129 - [
9ba8ed1371] – src: re-addRealloc()shrink after reading stream data (Anna Henningsen) nodejs-private/node-private#128 - [
8e979482fa] – Revert “src: restore stdio on program exit” (Evan Lucas) #21257 - [
cb5ec64956] – src: reset TTY mode before cleaning up resources (Anna Henningsen) #21257 - [
ae5567eaea] – test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#117 - [
e87bf625dd] – test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#127 - [
eea2bce58d] – tls: fix SSL write error handling (Anna Henningsen) nodejs-private/node-private#127 - [
1e49eadd68] – tools,gyp: fix regex for version matching (Rich Trott) #21216
下载地址:
转自 https://www.oschina.net/news/97070/nodejs-8-11-3-and-10-4-1-released